In this LDAP utilities section we will see how to provide a way for end users to manage their passwords using Self Service Password, Password unlock procedure, Automate Password expiry notification and LDAP backup automation.

Self Service Password

Self Service Password is a PHP application that allows users to change their password in an LDAP directory. This section will just be an excerpt on minimum configuration that is needed. For more details on self service password you can refer their site

Install SSP

In the LDAP server, create a file /etc/apt/sources.list.d/ltb-project.list and add the below content

We are creating an Alias for self service password. Then we have just enabled basic authentication for SSP and provided access to people who belong to ssp group ( Assuming you have already created a group called ssp and added users to it ).

General parameters config

Edit the configuration file /usr/share/self-service-password/conf/config.inc.php and update it with below values,

You can refer this site for complete details on the variables used and their explanation. We have trimmed the configuration to reset the password just using the SSP application. You can enhance it to send sms, tokens etc for additional security.

In this example we will use a separate id (sspadmin) to do the bind and update the password. We need to update ACL to allow sspadmin to reset user password. We are doing this since using root DN (cn=admin,dc=devopsideas,dc=com) and passing passwords in file is not recommended.

First let’s create sspadmin id. Create a file named sspadminid.ldif and copy the below content.

Run this script as part of cron on daily bases. Based on pwdExpireWarning set as part of ppolicy overlay, user will get notification when the password reaches the threshold period. In this example, we have set the warning period to 7 days before the password expires. Refer ppolicy to get a better context on this.

Create a cron entry to run the backup once every day or based on your need. Make sure the path where you are storing the backup files are encrypted. You can make use of encrypted filesystem for this. Also once backed up, you can make use of this backup strategy to store the files in AWS S3.

With this we have successfully implemented all the use cases that was described in the scenario. This concludes the openLDAP series.

Feel free to provide your comments/suggestions if any in the comment section below or through mail ( admin@devopsideas.com).